cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
6951
Views
30
Helpful
10
Replies
glezJos91986
Beginner

EPG without a physical domain association

Hello community,

It is required to assign a physical domain to an EPG? Is not the static path assignment enough? In that case what exactly is the purpose of assign a physical domain to an EPG?

As I understood when I went over some documentation, the domain is necessary because it provides the range of VLANs that we are allowed to use in the static path assignment, this is, if our domain includes vlans from 300-350, we just cannot assign vlan 250 to an EP within that EPG.

 

My confusion came for the fact that in an online ACI course, the engineer forgot to include a domain in the EPG and he was still able to assign a vlan under the static port assignment for both EPs and the EPs were also able to communicate with each other with no problem at all, and no domain defined for the EPG at that point!!!

 

Is that the way that is supposed to be? Am I missing something here?

1 ACCEPTED SOLUTION

Accepted Solutions
Robert Burns
Cisco Employee

[Edited: Corrected statement on feature name per Chris' catch]

Yes its going to work without assigning a domain to the EPG.  I raised the enhancement to correct this behavior many years ago and we introduced the "Enforce Domain Validation" feature under the System Settings - Fabric Wide Settings - Enforce Domain Validation.  With this enabled (best practice to turn this on) it will NOT program the VLAN on the interface.  Instead it will raise a fault.  Even running with the configuration you have, ACI will still raise a fault on the EPG, but the programming will stuff be applied on the interface.  Obviously this isn't a good idea as the Domain becomes an RBAC control point where an Infrastructure/Access Policy Admin can restrict Tenant Admins from mistakenly assigning VLANs to interfaces they shouldn't be.

Robert

View solution in original post

10 REPLIES 10
Robert Burns
Cisco Employee

[Edited: Corrected statement on feature name per Chris' catch]

Yes its going to work without assigning a domain to the EPG.  I raised the enhancement to correct this behavior many years ago and we introduced the "Enforce Domain Validation" feature under the System Settings - Fabric Wide Settings - Enforce Domain Validation.  With this enabled (best practice to turn this on) it will NOT program the VLAN on the interface.  Instead it will raise a fault.  Even running with the configuration you have, ACI will still raise a fault on the EPG, but the programming will stuff be applied on the interface.  Obviously this isn't a good idea as the Domain becomes an RBAC control point where an Infrastructure/Access Policy Admin can restrict Tenant Admins from mistakenly assigning VLANs to interfaces they shouldn't be.

Robert

View solution in original post

Thank you Robert ! I did not know about that "Enforce EPG VLAN Validation" option,  it all makes sense now !

By the way, is that feature enabled the default behavior for ACI? Or we actually need to have in mind to enable it as a best practice like you mentioned?

 

Thanks again!

Since it wasn't a day-one feature, it must be enabled manually. By default this feature is disabled.

Robert

Got it, Thank you so much Robert! 

I was really struggling with that since I noticed it by mistake.

Accident or not, that's a good catch to notice this behavior.  It shows you're verifying your policy deployment then questioning its operation - which I love to see.  Anytime your team configures Tenant policies always check the configured object itself (EPG/BD etc) or the parent Tenant (which they all roll up into) for any faults.  Quick and easy way to find & avoid issues.

Let us know if you have any other Qs.

Robert 

Thank you so much, I really appreciate it!!

RedNectar
Advocate

Hi @glezJos91986 ,

Just three points to add to Robert's explanations.

Firstly, @robert is not EXACTLY right when he says:

"Enforce Domain Validation" feature under the System Settings - Fabric Wide Settings - Enforce EPG VLAN Validation (previously called Domain Validation)

because it is STILL called Enforce Domain Validation - AND there is a DIFFERENT option to Enforce EPG VLAN Validation.

image.png

So, @glezJos91986 - the feature that you really need is indeed the Enforce Domain Validation - NOT the Enforce EPG VLAN Validation.

Secondly, you need to understand that IF you have taken APIC Fabric backups or snapshots BEFORE you flick the ACI Enforce Domain Validation option on, you will NOT be able to restore them once the option has been toggled. This is because once it's turned on, you can't turn it off. And if you were to restore a Fabric backup, it would be attempting to turn the switch off.

And thridly, and this is really cosmetic - I want to make sure you know about the best App you can add to ACI - it's called the Policy Viewer - and when installed, you can look at your EPGs and see the whole Tenant AND Access Policy Chain - but ONLY after the EPG has been linked to the Domain. It is just AWESOME.

image.png

RedNectar
aka Chris Welsh


Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

Thank you so much Chris for the aclaration/explanation and pictures.

I am really curious about this policy viewer, I will dig into it since it seems pretty useful.

 

Thanks!

Robert Burns
Cisco Employee

I can always count on Chris to keep me honest!  Serves me right trying to answer from memory.  Updated my original response to keep the information accurate.

Robert

I appreciate your time in clarify this matter, thanks a lot.